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DESCRIPTION 



DATA PROCESSING METHOD r I TS ^PR OGRAM , A ND ITS DE VICE 
TECHNICAL FIELD 

The present invention relates to a data processing 
method for performing predetermined processing based on 
authentication results, its program, and its device. 

BACKGOUND ART 

There is a system where an authenticating side 
(authenticating means) confirms the legitimacy of an 
authenticated side (means to be authenticated) , then 
executes processing authorized to the authenticated side. 

In such a system, for. example, the authenticating 
side holds mutuai authentication key data for all 
authenticated sides and selects the mutual authentication 
key data corresponding to an authenticating side to 
perform the mutual authentication for each authenticating 
side. 

Further, when confirming the legitimacy of the 
authenticated side by the mutual authentication, the 
authenticating side specifies processing authorized to 
the authenticated side in advance based on a management 
table etc. and executes the specified processing. 

In the above -explained conventional; system, however, 



the authenticated side must hold the mutual 
authentication key data corresponding to all 
authenticating sides, so there is a problem that the 
management load of the mutual authentication key data is 
5 large. 

Further, in the above-explained conventional system, 
it is necessary to specify the processing authorized to 
an authenticated side based on a management table 
separately from the mutual authentication, so there is 
10 the problem of a large load for preparation, management, 
etc. of the management table. 

DISCLOSURE OF THE INVENTION 

The present invention has as its object to provide 
a data processing method enabling reduction of a 

15 processing load of the authenticating means when the 
authenticating means authenticates the means to be 
authenticated, then executes processing authorized to the 
means to be authenticated, its program, and its device. 
To attain the above object, the data processing 

20 method of a first aspect of the invention provides a data 
processing method performed by a means to be 
authenticated for holding first authentication use data 
generated by encryption using key data and an 
authenticating means for holding the key data, comprising 

25 a first step of having the means to be authenticated 
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provide key designation data designating the key data to 
the authenticating means; a second step of having the 
authenticating means perform encryption using the key 
data designated by the key designation data received at 
5 the first step to generate second authentication use 
data; a third step of having the means to be 
authenticated use the first authentication use data for 
authentication and having the authenticating means use 
the second authentication use data for authentication; 

10 and a fourth step of having the authenticating means 
execute processing related to the key data when the 
authentication at the third step decides that the first 
authentication use data and the second authentication use 
data are the same . 

15 The mode of operation of the data processing method 

of the first aspect of the invention is as follows. 

At the first step, a means to be authenticated 
provides key designation data for designating key data to 
the authenticating means. 

20 Next, at the second step, the authenticating means 

performs encryption using the key data designated by the 
key designation data received at the first step to 
generate second authentication use data. 

Next, at the third step, the means to be 

25 authenticated uses the first authentication use data for 
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authentication, and the authenticating means uses uses 
the second authentication use data for authentication. 

Next, at the fourth step, the authenticating means 
executes processing related to the key data when the 
5 authentication in the third step judges that the first 

authentication use data and the second authentication use 
data are the same. 

A data processing system of a second aspect of the 
invention provides a data processing system having a 

10 means to be authenticated for holding first 

authentication use data generated by encryption using key 
data and an authenticating means for holding the key data, 
wherein the means to be authenticated provides key 
designation data designating the key data to the 

15 authenticating means, the authenticating means performs 
encryption using the key data designated by the key 
designation data received from the means to be 
authenticated to generate second authentication use data, 
the means to be authenticated uses the first 

20 authentication use data for authentication and the 

authenticating means uses the second authentication use 
data for authentication, and the authenticating means 
executes the processing related to the key data when the 
authentication decides that the first authentication use 

25 data and the second authentication use data are the same. 
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The mode of operation of the data processing system 
of the second aspect of the invention is as follows. 

First, the means to be authenticated provides key 
designation data designating key data to the 
5 authenticating means. 

Next, the authenticating means performs encryption 
using the key data designated by the key designation data 
received at the first step to generate second 
authentication use data. 
10 Next, the means to be authenticated uses the first 

authentication use data for authentication, and the 
authenticating means uses the second authentication use 
data for authentication. 

Next, the authenticating means executes the 
15 processing related to the key data when the 

authentication decides that the first authentication use 
data and the second authentication use data are the same. 

A data processing method of a third aspect of the 
invention provides a data processing method where an 
20 authenticating means holding predetermined key data 
performs authentication together with a means to be 
authenticated holding first authentication use data 
generated by encryption using the key data, comprising a 
first step of receiving key designation data for 
25 designating the key data from the means to be 
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authenticated; a second step of using the key data 
designated by the key designation data received at the 
first step for encryption to generate second 
authentication use data; a third step of using the second 
5 authentication use data generated at the second step for 
authentication with the means to be authenticated using 
the first authentication use data for authentication; and 
a fourth step of executing processing related to the key 
data when the authentication at the third step decides 

10 that the first authentication use data and the second 
authentication use data are the same. 

A data processing system of a fourth aspect of the 
invention provides a data processing system for 
authentication with a means to be authenticated holding 

15 first authentication use data generated by encryption 
using predetermined key data and holding the key data, 
comprising an inputting means for inputting key 
designation data for designating the key data from the 
means to be authenticated; an authenticating means for 

20 using the key data designated by the key designation data 
received by the inputting means for encryption to 
generate second authentication use data and using the 
second authentication use data for authentication with 
the means to be authenticated using the first 

25 authentication use data for authentication; and a 
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controlling means for executing processing related to the 
key data when the authentication by the authenticating 
means decides that the first authentication use data and 
the second authentication use data are the same. 
5 A program of a fifth aspect of the invention 

provides a program to be executed by a data processing 
system for authentication with a means to be 
authenticated holding first authentication use data 
generated by encryption using predetermined key data and 

10 holding the predetermined key data, comprising a first 

routine of receiving key designation data for designating 
the key data from the means to be authenticated; a second 
routine of encryption using the key data designated by 
the key designation data received by the first routine to 

15 generate second authentication use data; a third routine 
of using the second authentication use data generated by 
the second routine for authentication with the means to 
be authenticated using the first authentication use data 
for authentication; and a fourth routine of executing 

20 processing related to the key data when the 

authentication in the third routine decides that the 
first authentication use data and the second 
authentication use data are the same. 

A data processing method of a sixth aspect of the 

25 invention provides a data processing method performed by 
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a means to be authenticated when an authenticating means 
holding key data uses key data designated from the means 
to be authenticated holding the first authentication use 
data for encryption to generate second authentication use 
5 data, uses the second authentication use data for 

authentication with the means to be authenticated, and 
performs processing related to the key data conditional 
on the authentication confirming that the first 
authentication use data and the second authentication use 

10 data are the same, comprising a first step of providing 
key designation data for designating the key data used 
when generating first authentication use data based on 
the predetermined generation method to the authenticating 
means; a second step of using the first authentication 

15 use data for authentication with the authenticating 
means; and a third step of making the authenticating 
means perform processing related to the key data based on 
the results of the authentication at the second step. 

A data processing system of a seventh aspect of the 

20 invention provides a data processing system forming a 
means to be authenticated when an authenticating means 
holding key data uses key data designated from the means 
to be authenticated holding the first authentication use 
data for encryption to generate second authentication use 

25 data, uses the second authentication use data for 
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authentication with the means to be authenticated, and 
performs processing related to the key data conditional 
on the authentication confirming that the first 
authentication use data and the second authentication use 
5 data are the same, comprising a first means for providing 
key designation data for designating the key data used 
when generating first authentication use data based on 
the predetermined generation method to the authenticating 
means; a second means for using the first authentication 

10 use data for authentication with the authenticating 

means; and a third means for making the authenticating 
means perform processing related to the key data based on 
the results of the authentication of the second means. 
A program of an eighth aspect of the invention, 

15 there is provided a program to be executed by a data 
processing system forming a means to be authenticated 
when an authenticating means holding key data uses key 
data designated from the means to be authenticated 
holding the first authentication use data for encryption 

20 to generate second authentication use data, uses the 

second authentication use data for authentication with 
the means to be authenticated, and performs processing 
related to the key data conditional on the authentication 
confirming that the first authentication use data and the 

25 second authentication use data are the same, comprising a 
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first routine of providing key designation data for 
designating the key data used when generating first 
authentication use data based on the predetermined 
generation method to the authenticating means; a second 
5 routine of using the first authentication use data for 

authentication with the authenticating means; and a third 
routine of making the authenticating means perform 
processing related to the key data based on the results 
of the authentication of the second means. 
10 BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a view of the overall configuration of a 
communication system of an embodiment of the present 
invention . 

FIG. 2 is a functional block diagram of a 
15 management device shown in FIG. 1. 

FIG. 3 is a flow chart for explaining an outline of 
the processing routine performed by the management device 
shown in FIG. 2. 

FIG. 4 is a view for explaining a card used in 
20 processing relating to an AP edit tool and management 
tool shown in FIG. 2. 

FIG. 5 is a functional block diagram of an IC card 
shown in FIG. 1. 

FIG. 6 is a view for explaining data stored in a 
25 memory shown in FIG. 5. 
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FIG. 7 is a view for explaining the software 
configuration of a SAM module shown in FIG. 1. 

FIG. 8 is a view for explaining the hardware 
configuration of the SAM module shown in FIG. 1 and a 
5 memory area of an external memory 7 . 

FIG. 9 is a view for explaining an AP memory area 
shown in FIG . 8 . 

FIG. 10 is a view for explaining application 
element data. 

10 FIG. 11 is a view for explaining the type of 

application element data APE. 

FIG. 12 is a flow chart for explaining preparation 
routines of an owner card and a user card. 

FIG. 13 is a view for explaining mutual 
15 authentication key data. 

FIG. 14 is a view for explaining a mutual 
authentication code . 

FIG. ISA and FIG.15B are views for explaining the 
relationship between the mutual authentication key data 
20 and service. 

FIG. 16 is a view for explaining a method for 
generating synthetic key data. 

FIG. 17 is a view for explaining another method of 
generation of synthetic key data. 
25 FIG. 18 is a view for explaining the hierarchy of 
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encryption of synthetic key data. 

FIG. 19 is a view for explaining an example of the 
features of synthetic key data. 

FIG. 20 is a view for explaining an example of a 
5 mode of use of the mutual authentication key data. 

FIG. 21 is a flow chart for explaining mutual 
authentication between a SAM management function portion 
of the management device shown in FIG. 1 and the SAM unit. 

FIG. 22 is a flow chart for explaining mutual 
10 authentication between a SAM management function portion 
of the management device shown in FIG. 1 and the SAM unit 
continuing from FIG. 21. 

FIG. 23 is a flow chart for explaining the 
processing of the SAM unit. 
15 FIG. 24 is a view for explaining a screen used for 

issuing various types of cards relating to the management 
device explained by using FIG. 2 and FIG. 4. 

FIG. 25 is a view for explaining a screen for 
preparation of an owner card. 
20 FIG. 26 is a view for explaining a card request 

screen . 

FIG. 27 is a view for explaining a screen for 
preparation of a user card. 

FIG. 28 is a view for explaining a screen for 
25 preparation of an AP encryption card. 
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FIG. 2 9 is a view for explaining a screen for 
preparation of a transport card. 

FIG. 30 is a view for explaining a SAM management 
screen. 

5 FIG. 31 is a view for explaining a screen showing 

an example of display content of a SAM tree area shown in 
FIG. 30. 

FIG. 32 is a view for explaining icons displayed in 
the SAM tree area shown in FIG. 30. 
10 FIG. 33 is a view for explaining a SAM network 

screen . 

FIG. 34 is a view for explaining a group screen. 
FIG. 35 is a view for explaining a SAM screen. 
FIG. 36 is a view for explaining an AP memory area 
15 screen. 

FIG. 37 is a view for explaining an APE type screen. 
FIG. 38 is a view for explaining an instance screen. 
FIG. 39 is a screen where a SAM command of a menu 
bar shown in FIG. 30 is designated. 
20 FIG. 40 is a view for explaining a case where a 

group of SAMs is prepared on the SAM management screen 
shown in FIG. 30. 

FIG. 41 is a view for explaining an AP memory area 
edi tor s cr een . 

25 FIG. 42 is a view for explaining a screen for 
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adding a package of the application element data APE . 

FIG. 43 is a view for explaining a screen for 
preparing the application element data APE . 

FIG. 44 is a view for explaining a screen for 
5 adding a version of the application element data APE. 

FIG. 45 is a view for explaining an AP memory area 
editor screen after a series of processing. 

BEST MODE FOR WORKING THE INVENTION 

Hereinafter, an explanation will be given of 
10 preferred embodiments by referring to the drawings . 

FIG. 1 is a view of the overall configuration of a 
communication system 1 of the present embodiment. 

As shown in FIG. 1, the communication system 1 uses 
a server apparatus 2 disposed in a store etc. , an IC card 
15 3, a card reader/writer 4, a personal computer 5, an ASP 
(application service provider) server apparatus 19, SAM 
(secure application module) units 9a, 9b,..., a 
management device 20, and a mobile communication device 
41 having a built-in IC module 42 to communicate via the 
20 Internet 10 and perform processing such as settlements 

using the IC card 3 or the mobile communication device 41. 

In the communication system 1, the management 
device 20 and the SAM units 9a and 9b perform the 
processing relating to an embodiment corresponding to the 
25 present invention. 
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Namely, the management device 20 performs 
processing for issuing cards (for example, owner cards 
and user cards explained later) having built-in ICs 
(integrated circuits of the present invention) used for 
5 making the SAM units 9a and 9b perform predetermined 

processing authorized by a manager etc. Due to this, it 
provides data required for mutual authentication to the 
means to be authenticated. 

Further, the management device 20 performs mutual 
10 authentication between the issued cards used by the 
manager and the user and the SAM units 9a and 9b and 
makes the SAM units 9a and 9b perform the authorized 
predetermined processing. 

In this case, the management device 20 becomes the 
15 means to be authenticated of the present invention, and 
the SAM units 9a and 9b become the authenticating means 
of the present invention. 

FIG. 2 is a functional block diagram of the 
management device 20. 
20 As shown in FIG. 2, the management device 20 has 

for example an AP edit tool 51, a management tool 52, a 
card reader/writer 53, a display 54, an I/F 55, and an 
operation unit 56. 

Here, the management device 20 corresponds to the 
25 data processing device of the eighth aspect of the 
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invention, the I/F 55 corresponds to the first means of" 

the present invention, and a SAM management function 

portion 57 corresponds to the second means and the third 

means of the present invention. 
5 The AP edit tool 51 and the management tool 52 may 

be realized by the data processing system executing a 

program (corresponding to the program of the ninth aspect 

of the invention) and may be realized by an electronic 

circuit (hardware) . 
10 The management tool 52 has for example a SAM 

management function portion 57 and a card management 

function portion 58. 

The card reader/writer 53 transfers data by a 

noncontact method or a contact method with ICs of various 
15 cards shown below. 

The display 54 is used for displaying a card 

issuance screen and an AP management screen. 

The I/F 55 transfers data with the SAM units 9a and 

9b by the noncontact method or the contact method. 
20 The operation unit 56 is used for inputting 

instructions or data to the AP edit tool 51 and the 

management tool 52 . 

FIG. 3 is a flow chart for explaining an outline of 

the processing routine performed by the management device 
25 20. 
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Step ST1: 

The management device 20 prepares an owner card 72 
in which predetermined data is stored using a default 
card 71 set in the card reader/writer 53 by the card 
5 management function portion 58 in response to operation 
of the manager. Further, it prepares a user card 73 by 
using the owner card 72 . 

Namely, the management device 20 encrypts the 
device key data explained later by using the mutual 

10 authentication key data (key data of the present 

invention) related to the processing authorized to the 
means to be authenticated using the owner card 72 and the 
user card 73 among processings relating to the SAM units 
9a and 9b (authenticating means of the present invention) 

15 by a predetermined encryption method (predetermined 

generation method of the present invention) and generates 
the synthetic key data (first authentication use data of 
the present invention) making the mutual authentication 
key data hard to restore. 

20 Then, the management device 20 writes the generated 

synthetic key data and the key designation data 
designating the mutual authentication key data used for 
the generation of the synthetic key data into the ICs 
(integrated circuits of the present invention) of the 

25 owner card 72 and the user card 73. 
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Further, in the same way, the management device 20 
prepares the transport card 74 and the AP encryption card 
75. 

Step ST2: 

5 Where the user of the owner card 72 or the user 

card 73 makes the SAM units 9a and 9b perform the 
processing the authority of which was given to the user 
via the management device 20 by using these cards, the 
user makes the card reader /writer 53 of the management 
10 device 20 read and fetch the key designation data stored 
in the IC of the owner card 72 or the user card 73. 

The SAM management function portion 57 of the 
management device 20 outputs the read key designation 
data to the SAM units 9a and 9b. 
15 Step ST3: 

The SAM units 9a and 9b use the mutual 
authentication key data designated by the key designation 
data to encrypt the device key data by a predetermined 
encryption method and generate synthetic key data (second 
20 authentication use data of the present invention) . 
Step ST4 : 

The SAM management function portion 57 uses the 
synthetic key data read out from the card 72 or the card 
73 for authentication, while the SAM units 9a and 9b use 
25 the generated synthetic key data for authentication. 
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Step ST5: 

When the authentication decides that the SAM 
management function portion 57 and the SAM units 9a and 
9b hold the same synthetic key data, the SAM units 9a and 
5 9b execute processing related to one or more mutual 

authentication key data used for generating the synthetic 
key data in response to an instruction from the 
management device 20. 

FIG. 4 is a view for explaining cards used in the 
10 processing relating to the AP edit tool 51 and the 
management tool 52 shown in FIG. 2. 

As shown in FIG. 4, when using the management tool 
52 of the management device 20 to access the SAM units 9a 
and 9b, the owner card 72 and the user card 73 are used. 
15 Further, when providing an AP package file 

generated by the AP edit tool 51 to the management tool 
52, the AP package file is encrypted using the encryption 
key data stored in the IC of the AP encryption card 75. 

Namely, as shown in FIG. 4, the user prepares the 
20 application element data APE configuring the application 
program AP in the SAM module 8 by using the AP edit tool 
51. 

Then, the AP edit tool 51 prepares an AP package 
file including one or more application element data APE, 
25 encrypts this by using the encryption key data stored in 
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the AP encryption card 75, and provides this to the 
management tool 52 . 

The management tool 52 performs mutual 
authentication with the SAM units 9a and 9b as explained 
5 above and writes the AP package file received from the AP 
edit tool 51 to the AP memory areas in the SAM units 9a 
and 9b authorized relating to the mutual authentication 
key data used for the mutual authentication. 

Further, the transport card 74 is used for 
10 extracting data relating to the security of key data etc. 
held by the SAM units 9a and 9b, transferring the same to 
another apparatus, and storing the same. 

[IC Card 3 and Mobile Communication Device 41] 

FIG. 5 is a functional block diagram of the IC card 

15 3. 

As shown in FIG. 5, the IC card 3 has an IC 
(integrated circuit) module 3a provided with a memory 50 
and a CPU 51. 

The memory 50 has, as shown in FIG. 6, a memory 
20 area 55_1 used by a service business 15_1 such as a 

credit card company, a memory area 55_2 used by a service 
business 15_2, and a memory area 55_3 used by a service 
business 15_3. 

Further, the memory 50 stores the key data used for 
25 deciding the access right to the memory area 55_1 , the 

20 



key data used for deciding the access right to the memory 
area 55_2 , and the key data used for deciding the access 
right to the memory area 55_3. The key data is used for 
the mutual authentication, the encryption and decryption, 
5 etc. of the data. 

Further, the memory 50 stores identification data 
of the IC card 3 or the user of the IC card 3. 

The mobile communication device 41 has a 
communication processing unit 43 for communication with 
10 ASP server apparatuses 19a and 19b via a mobile phone 

network and the Internet 10 and an IC module 42 able to 
transfer data with the communication processing unit 43 
and communicates with the SAM unit 9a from an antenna via 
the Internet. 

15 The IC module 42 has the same functions as those of 

the IC module 3a of the IC card explained above except 
for the point of transferring data with the communication 
processing unit 43 of the mobile communication device 41. 
Note that the processing using the mobile 

20 communication device 41 is carried out in the same way as 
the processing using the IC card 3, while the processing 
using the IC module 42 is carried out in the same way as 
the processing using the IC module 3a. Therefore, in the 
following explanation, the processing using the IC card 3 

25 and the IC module 3a will be exemplified. 
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Below, an explanation will be given of the SAM 
units 9a and 9b. 

As shown in FIG. 1, the SAM units 9a and 9b have 
external memories 7 and SAM modules 8 . 
5 Here, the SAM module 8 may be realized as a 

semiconductor circuit or may be realized as a device 
accommodating a plurality of circuits in a housing. 
[Software Configuration of SAM Module 8] 
The SAM module 8 has the software configuration as 
10 shown in FIG. 7. 

As shown in FIG. 7, the SAM module 8 has, from the 
bottom layer to the top layer, a hardware HW layer, a 
driver layer (OS layer) including an RTOS kernel etc. 
corresponding to the peripheral HW, a lower handler layer 
15 for performing processing in logically composed units, an 
upper handler layer combining application-specific 
libraries, and an AP layer in that order. 

Here, in the AP layer, the application programs 
AP 1 , AP__2 , and AP_3 prescribing procedures by the 
20 service businesses 15_1, 15 _2 , and 15_3 such as the 

credit card company shown in FIG. 1 using the IC cards 3 
are read out from the external memory 7 and run. 

In the AP layer, firewalls FW are provided between 
the application programs AP__1 , AP_2 , and AP_3 and between 
25 them and the upper handler layer. 
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[Hardware Configuration of SAM Module 8] 
FIG. 8 is a view for explaining the hardware 

configuration of the SAM module 8 and the memory area of 

the external memory 7 . 

As shown in FIG. 8, the SAM module 8 has for 

example a memory I/F 61, an external I/F 62, a memory 63, 

an authentication unit 64, and a CPU 65 connected via a 

bus 60. 

Here, the SAM module 8 corresponds to the data 
processing system of the fourth aspect of the invention, 
the external I/F 62 corresponds to the inputting means of 
the present invention, the authentication unit 64 
corresponds to the authenticating means of the present 
invention, and the CPU 65 corresponds to the controlling 
means of the present invention. 

Further, the SAM module 8 corresponds to the data 
processing system of the fifth aspect of the invention. 
It is also possible to execute a program including the 
following routines to realize its functions thereof. 

The memory I/F 61 transfers data with the external 
memory 7 . 

The external I/F 62 transfers data and commands 
with the ASP server apparatuses 19a and 19b and the 
management device 20 shown in FIG. 1. 

The memory 63 stores various key data etc. used for 
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the mutual authentication etc. of the SAM units 9a and 9b 
explained later. The key data may be stored in the AP 
management use memory area 221 of the external memory 7 
as well. 

5 The authentication unit 64 performs the processing 

relating to the mutual authentication explained later. 
The authentication unit 64 performs for example 
encryption and decryption using predetermined key data. 

The CPU 65 centrally controls the processing of the 

10 SAM module 8. 

When confirming that the means to be authenticated 
is a legitimate party by the mutual authentication, the 
CPU 65 authorizes the processing related to the mutual 
authentication key data explained later to the means to 

15 be authenticated and executes this as will be explained 
later. 

A detailed explanation will be given below of the 
mutual authentication processing by the SAM module 8. 
[External Memory 7] 
20 As shown in FIG. 8, the memory area of the external 

memory 7 includes an AP memory area 220_1 (service AP 
resource area) for storing the application program AP_1 
of the service business 15_1 , an AP memory area 220_2 for 
storing the application program AP__2 of the service 
25 business 15 2, an AP memory area 220_3 for storing the 
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application program AP_2 of the service business 15_3, 
and an AP management use memory area 221 (system AP 
resource area and manufacturer AP resource area) used by 
the manager of the SAM module 208. 
5 The application program AP_1 stored in the AP 

memory area 220_1 is comprised of a plurality of 
application element data APE (data modules of the present 
invention) explained later as shown in FIG. 9. The access 
to the AP memory area 220_1 is restricted by a firewall 
10 FW_1 . 

The application program AP_2 stored in the AP 
memory area 220_2 is comprised of a plurality of 
application element data APE as shown in FIG. 9. The 
access to the AP memory area 220_2 is restricted by a 

15 firewall FW_2 . 

The application program AP_3 stored in the AP 
memory area 220__3 is comprised of a plurality of 
application element data APE as shown in FIG. 9. The 
access to the AP memory area 220_3 is restricted by a 

20 firewall FW_3 (illustrated in FIG. 8) . 

In the present embodiment, the application element 
data APE is the minimum unit downloaded from the outside 
of for example the SAM unit 9a into the external memory 7 . 
The number of the application element data APE composing 

25 each application program can be freely determined by the 
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corresponding service business. 

Further, the application programs AP_1 , AP_2 , and 
AP 3 are prepared for example by service businesses 16_1, 
16 2, and 16_J3 by using the personal computers 15_1, 15_2 , 
5 and 15_3 shown in FIG. 1 and downloaded to the external 
memory 7 via the SAM mobile 8. 

Note that the program and the data stored in the AP 
management use memory area 221 are also comprised by 
using the application element data APE. 
10 FIG. 10 is a view for explaining the application 

element data APE . 

The application element data APE is comprised by 
using the instance prescribed according to the APE type 
indicating the classification prescribed based on the 
15 attribute (type) of the APE as shown in FIG. 10. 

Each instance is prescribed according to an element 
ID, an element property, and an element version. 

It is prescribed based on the APE type in which of 
the service AP memory areas 220_1, 220_2, and 220_3 and 
20 the AP management use memory area 221 the application 
element data APE is stored. 

The service AP memory area 220_1 stores the data 
which can be accessed by each service business. 

Note that the AP management use memory area 221 has 
25 a system AP memory area for storing the data which can be 
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accessed by the manager of the system and a manufacturer 
AP memory area for storing the data which can be accessed 
by the manufacturer of the system. 

Further, the AP memory area is comprised by the 
5 service AP memory areas 220_1, 220J2, and 220_3 and the 
AP management use memory area 221. 

In the present embodiment, an ID (AP memory area 
ID) is assigned to each of the service AP memory areas 
220 1, 220 2, and 220_3 and the AP management use memory 
10 area 221, and an identification use number (APE type 

number, instance number, and element version number) is 
assigned to each of the APE type, the instance, and the 
element version. 

FIG. 11 is a view for explaining an example of the 

15 APE type . 

As shown in FIG. 11, the APE type includes IC 
system key data, IC area key data, IC service key data, 
IC synthetic key data, IC key change package, IC issuance 
key package, IC EXPANSION issuance key package, IC area 

20 registration key package, IC area deletion key package, 
IC service registration key package, IC service deletion 
key package, IC memory division key package, IC memory 
division element key package, obstacle recording file, 
mutual authentication use key, package key, negative list, 

25 and service data temporary file. 
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The APE type number is assigned to each APE type. 

Below, an explanation will be given of part of the 
APE type shown in FIG. 1. 

The IC system key data, the IC area key data, the 
5 IC service key data, and the IC synthetic key data are 

card access key data used for the read/write operation of 
data with respect to the memories 50 of the IC card 3 and 
the IC module 42 . 

The mutual authentication use key data is also used 
10 for the mutual authentication between APs existing in the 
same SAM. The SAM mutual authentication use key data 
means the key data used when accessing the corresponding 
application element data APE from another AP in the same 
SAM or another SAM. 
15 The IC memory division use key package is the data 

used for dividing the memory area of the external memory 
7 and the memory of the IC card 3 before the start of 
provision of service using the IC card 3 by the service 
business . 

20 The IC area registration key package is the data 

used at the time of area registration in the memory area 
of the memory of the IC card 3 before starting provision 
of service using the IC card 3 by the service business. 

The IC area deletion key package is a package able 

25 to be automatically generated from the card access key 
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data inside the SAM. 

The IC service registration use key package is used 
for registering the application element data APE of the 
external memory 7 before the start of the provision of 
the service using the IC card 3 by the service business. 

The IC server deletion key package is used for 
deleting application element data APE registered in the 
external memory 7 . 

[Preparation of Owner Card 72 and User Card 73] 

FIG. 12 is a flow chart for explaining routines for 
preparation of the owner card 72 and the user card 73. 

FIG. 12 shows details of steps ST1 and ST2 shown in 

FIG. 3. 

Step ST11: 

For example, when the manager prepares the owner 
card 72, it selects the processing relating to the SAM 
units 9a and 9b authorized to the user of the owner card 
72. 

Further, when the manager etc. prepares the user 
card 73, it selects the processing relating to the SAM 
units 9a and 9b authorized to the user of the user card 
73. 

The processing relating to the SAM units 9a and 9b 
includes for example the processing for executing the 
functions provided by the SAM units 9a and 9b or the 
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access to the data held by the SAM units 9a and 9b (for 
example the application element data APE) . 
Step ST12: 

The manager etc. selects the mutual authentication 
5 key data related to the processing selected at step ST11 
and inputs or designates the same to the card management 
function portion 58 of the management device 20. 

The mutual authentication key data will be 
explained in detail later. 
10 Step ST13: 

The card management function portion 58 of the 
management device 20 uses one or more mutual 
authentication key data selected at step ST12 to generate 
the synthetic key data based on the degradation 
15 processing method (the predetermined generation method of 
the present invention) explained later. 

The degradation processing will be explained in 
detail later. 

Step ST14: 

20 The card management function portion 58 of the 

management device 20 generates the key designation data 
indicating the mutual authentication code for identifying 
the mutual authentication key data used for generating 
the synthetic key data at step ST13. 

25 The key designation data becomes data indicating 
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the right of execution of the processing relating to the 
SAM units 9a and 9b acquired by the user of the owner 
card 72 or the user card 73. 
Step ST15: 

5 The card management function portion 58 of the 

management device 20 writes the synthetic key data 
generated at step ST13 and the key designation data 
generated at step ST14 into the IC of the owner card 72 
or the user card 73. 
10 Step ST16: 

The card management function portion 58 of the 
management device 20 registers the mutual authentication 
key data used for generating the synthetic key data of 
step ST13 into the SAM units 9a and 9b. 
15 Below, an explanation will be given of the mutual 

authentication key data covered by the selection at step 
ST12 shown in FIG. 12 explained above. 

FIG. 13 is a view for explaining the mutual 
authentication key data covered by the selection at step 
20 ST12 shown in FIG. 12. 

As shown in FIG. 13, the mutual authentication key 
data includes for example device key data, termination 
key data, manufacturer setting service mutual 
authentication key data, hardware management service 
25 mutual authentication key data, communication management 
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service mutual authentication key data, mutual 
authentication service mutual authentication key data, AP 
memory area management service mutual authentication key 
data, service AP memory area mutual authentication key 
5 data, system AP memory area mutual authentication key 
data, and manufacturer AP memory area mutual 
authentication key data. 

Further, as shown in FIG. 13 and FIG. 14, the 
mutual authentication code of the mutual authentication 
10 key data is comprised of, as shown in FIG. 14, an AP 
memory area ID, an element type number, an element 
instance number, and an element version number explained 
by using FIG. 10. 

Below, an explanation will be given of the key 
15 designation data generated at step ST14 shown in FIG. 12 
explained above. 

The key designation data is a mutual authentication 
code list comprised by using the mutual authentication 
codes of a plurality of mutual authentication key data. 
20 FIG. 15A and FIG.15B are views for explaining an 

example of the key designation data. 

At step ST12 of FIG. 12, when for example the 
device key data, the hardware management service mutual 
authentication key data, the communication management 
25 service mutual authentication key data, the AP memory 
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area management service mutual authentication key data, 
the service AP memory area mutual authentication key data, 
and the termination key data shown in FIG. 13 are 
selected, as shown in FIG. 15A, key designation data 
5 indicating the mutual authentication codes of all 

selected mutual authentication key data is generated. 

At step ST13 shown in FIG. 12, when the synthetic 
key data is generated by using the mutual authentication 
key data of* the mutual authentication codes shown in FIG. 

10 15A, the mutual authentication with the SAM units 9a and 
9b using the synthetic key data authorizes the management 
device 20, as shown in FIG. 15B, to access the hardware 
management service, the communication management service, 
the IC service (service concerning the IC card 3 and the 

15 IC module 421) , the mutual authentication service, and 
the AP memory area management service. 

In this way, in the present embodiment, the 
synthetic key data can be generated by using the 
functions of the SAM units 9a and 9b and the mutual 

20 authentication key data related to a plurality of 

processing including the access to the data held by the 
SAM units 9a and 9b (for example the application element 
data APE) . 

Due to this, the mutual authentication using a 
25 single synthetic key data enables the SAM units 9a and 9b 
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to collectively judge whether or not both of the 
functions of the SAM units 9a and 9b and the access to 
the data held by the SAM units 9a and 9b are authorized 
to the means to be authenticated. 
5 Then, the SAM units 9a and 9b execute the 

processings relating to the predetermined functions 
related to the mutual authentication key data and 
authorize access to the data held by the SAM units 9a and 
9b from the means to be authenticated in response to an 

10 instruction of the means to be authenticated when 

authenticating that the means to be authenticated is 
legitimate . 

Below, an explanation will be given of the 
degradation processing method of step ST13 shown in FIG. 

15 12. 

FIG. 16 is a flow chart for explaining the 
degradation processing method. 
Step ST21: 

The card management function portion 58 of the 
20 management device 20 uses the device key data as a 

message, uses the first of the mutual authentication key 
data other than the device key data and termination key 
data selected at step ST12 shown in FIG. 12 as the 
encryption key, and encrypts the device key data to 
25 generate intermediate key data. 
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Here, when the number of the mutual authentication 
key data other than the device key data and the 
termination key data selected at step ST12 is one, the 
card management function portion 58 performs the 
5 processing of the following step ST22 by using the 
intermediate key data. 

On the other hand, when the number of the mutual 
authentication key data other than the device key data 
and the termination key data selected at step ST12 is two 

10 or more, the card management function portion 58 uses the 
intermediate key data as the message and uses the next 
mutual authentication key data as the encryption key to 
perform the encryption. 

The card management function portion 58 uses all 

15 mutual authentication key data other than the device key 
data and the termination key data selected at step ST12 
as the encryption key and repeats the above processings 
until the above encryption is carried out. When it ends, 
it proceeds to the processing of step ST22 . 

20 Step ST22: 

The card management function portion 58 uses the 
intermediate key data obtained at step ST21 as the 
message and uses the termination key data as the 
encryption key to perform the encryption to generate the 

25 synthetic key data. 
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The termination key data is tamper-proofing key 
data and is held only by the manager. 

Due to this, it is possible to prevent a party 
other than the manager from illegitimately tampering with 
5 the synthetic key data. 

Below, an explanation will be given of a case of 
generating synthetic key data by a predetermined 
degradation processing method using the owner termination 
key data owned by only the manager (owner) and the user 
10 termination key data owned by the user given a right from 
the manager as the termination key data. 

FIG. 17 is a flow chart for explaining the 
degradation processing method. 

In FIG. 17, the processings of steps ST31 and ST32 
15 are the same as the processings of steps ST21 and ST22 

explained by using FIG. 16 except for the point of using 
the owner termination key data as the termination key 
data . 

The synthetic key data generated at step ST32 is 
20 the synthetic key data which can be expanded in the sense 
that the users given the user termination key data can be 
increased . 

Step ST33: 

The card management function portion 58 of the 
25 management device 20 uses the expandable synthetic key 
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data generated by the owner as the message and uses the 
first of the mutual authentication key data other than 
the user termination key data selected by the user as the 
encryption key to encrypt the device key data to generate 
5 the intermediate key data. 

Here, when the number of the mutual authentication 
key data other than the selected user termination key 
data is one, the card management function portion 58 
performs the processing of the following step ST22 using 
10 the intermediate key data. 

On the other hand, when the number of the mutual 
authentication key data other than the selected user 
termination key data is two or more, the card management 
function portion 58 performs the encryption by using the 
15 intermediate key data as the message and using the next 
mutual authentication key data as the encryption key. 

The card management function unit 58 repeats the 
above processings until using all mutual authentication 
key data other than the selected termination key data as 
20 the encryption key for the encryption and proceeds to the 
processing of step ST34 when finishing. 

Step ST34 : 

The card management function unit 58 uses the 
intermediate key data obtained at step ST33 as the 
25 message and uses the user termination key data as the 
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encryption key to perform encryption to generate the 
synthetic key data. 

The user termination key data is the tamper- 
proofing key data and is held by only the owner and the 
5 user. 

Due to this, illegitimate tampering with the 
synthetic key data by a party other than the owner and 
the user can be prevented. 

The synthetic key data generated by the processing 
10 shown in FIG. 17 is comprised of the mutual 

authentication key encrypted by the hierarchy as shown in 
FIG. 18. 

Further, in the present embodiment, it is also 
possible to link a plurality of application element data 
15 APE to single mutual authentication key data (for example 
service, system, and manufacturer AP memory area mutual 
authentication key data shown in FIG. 13) . 

Due to this, the authentication using the synthetic 
key data enables the SAM units 9a and 9b to collectively 
20 judge whether or not access to the application element 

data APE related to the single mutual authentication key 
data is authorized. 

For example, in FIG. 19, an authorization C of an 
instance a of the application element data APE and an 
25 authorization B of an instance b are linked with mutual 
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authentication key data 500. For this reason, if the 
authentication using the synthetic key data degrading the 
mutual authentication key data 500 succeeds, the SAM 
units 9a and 9b authorize access to both of" the instances 
5 a and b . 

Further, in the present embodiment, it is also 
possible to use a pair of" on-line mutual authentication 
key data MK1 and off-line mutual authentication key data 
MK2 as shown in FIG. 20 for all or part of the mutual 

10 authentication key data explained by using FIG. 13. 
In this case, at the time of the mutual 
authentication, use is made of the on-line mutual 
authentication key data MK1 , while when transferring data 
with the other party in the mutual authentication, the 

15 data to be transferred is encrypted by using the off-line 
mutual authentication key data MK2 corresponding to that. 

Due to this, even if the on-line mutual 
authentication key data MK1 is illegitimately acquired by 
another party, since the data transferred between the 

20 means to be authenticated and the authenticating means is 
encrypted by the off-line mutual authentication key data 
MK2, illegitimate leakage of the information to the 
outside can be prevented. 

Below, an explanation will be given of the mutual 

25 authentication between the SAM management function 
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portion 57 of the management device 20 and the SAM units 
9a and 9b performed at step ST3 etc. shown in FIG. 3. 

In this case, the management device 20 becomes the 
means to be authenticated, and the SAM units 9a and 9b 
5 become the authenticating means . 

FIG. 21 and FIG. 22 are flow charts for explaining 
the mutual authentication between the. SAM management 
function unit 57 of the management device 20 and the SAM 
unit 9a. 

10 The SAM unit 9b is the same as the case of the SAM 

unit 9a shown below. 
Step ST51: 

First, the manager or user sets the owner card 72 
or the user card 73 in the card reader/writer 53. 

15 Then, the synthetic key data Ka (the first 

authentication use data of the present invention) and the 
key designation data stored in the owner card 72 and the 
user card 73 are read into the SAM management function 
unit 57 of the management device 20. 

20 The SAM management function unit 57 generates a 

random number Ra . 
Step ST52 : 

The SAM management function unit 57 encrypts the 
random number Ra generated at step ST51 by an encryption 
25 algorithm 1 by using the synthetic key data Ka read at 
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step ST51 to generate the data Ra' . 
Step ST53: 

The SAM management function unit 57 outputs the key 
designation data read at step ST51 and the data Ra' 
5 generated at step ST52 to the SAM unit 9a. 

The SAM unit 9a receives as input the key 
designation data and the data Ra' via the external I/F 62 
shown in FIG. 8 and stores this in the memory 63. 

Step ST54: 

10 The authentication unit 64 of the SAM unit 9a 

specifies the mutual authentication key data indicated by 
the key designation data input at step ST53 from among 
the mutual authentication key data stored in the memory 
63 or the external memory 7 . 

15 Step ST55: 

The authentication unit 64 of the SAM unit 9a uses 
the mutual authentication key data specified at step ST54 
to perform the degradation processing explained using FIG. 
16 or FIG. 17 to generate the synthetic key data Kb. 

20 Step ST56: 

The authentication unit 64 of the SAM unit 9a uses 
the synthetic key data Kb generated at step ST55 to 
decrypt the data Ra' input at step ST53 with a decryption 
algorithm 1 corresponding to the encryption algorithm 1 

25 to generate the random number Ra. 
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Step ST57: 

The authentication unit 64 of the SAM unit 9a uses 
the synthetic key data Kb to encrypt the random number Ra 
generated at step ST56 with an encryption algorithm 2 to 
5 generate data Ra" . 

Step ST58: 

The authentication unit 64 of the SAM unit 9a 
generates a random number Rb . 
Step ST59: 

10 The authentication unit 64 of the SAM unit 9a uses 

the synthetic key data Kb to generate data Rb' . 
Step ST60: 

The authentication unit 64 of the SAM unit 9a 
outputs the data Ra" generated at step ST57 and the data 
15 Rb' generated at step ST59 to the management device 20. 
Step ST61: 

The SAM management function unit 57 of the 
management device 20 uses the synthetic key data Ka to 
decrypt the data Ra" and Rb' input at step ST60 by the 
20 decryption algorithm 2 corresponding to the encryption 
algorithm 2 to generate data Ra and Rb. 

Step ST62: 

The SAM management function unit 57 of the 
management device 20 compares the random number Ra 
25 generated at step ST51 and the data Ra generated at step 
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ST61. 

Then, when the result is the same as the above 
comparison, the SAM management function unit 57 
authenticates that the synthetic key data Kb held by the 
SAM unit 9a is the same as the synthetic key data Ka held 
by the SAM management function unit 57 and the SAM unit 
9a is a legitimate authenticating means. 

Step ST63: 

The SAM management function unit 57 of the 
management device 20 uses the synthetic key data Ka to 
encrypt the data Rb generated at step ST61 by the 
encryption algorithm 1 to generate the data Rb" . 

Step ST64 : 

The SAM management function unit 57 of the 
management device 20 outputs the data Rb" generated at 
step ST 63 to the SAM unit 9a. 

Step ST65: 

The authentication unit 64 of the SAM unit 9a uses 
the synthetic key data Kb to decrypt the data Rb" input 
at step ST64 by the decryption algorithm 1 to generate 
the data Rb. 

Step ST66: 

The authentication unit 64 of the SAM unit 9a 
compares the random number Rb generated at step ST58 and 
the data Rb generated at step ST65. 
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Then, when the same result as that in the above 
comparison is shown, the authentication unit 64 
authenticates that the synthetic key data Kb held by the 
SAM unit 9a is the same as the synthetic key data Ka held 
5 by the SAM management function unit 57 and the SAM 

management function unit 57 is a legitimate means to be 
authenticated . 

Below, an explanation will be given of the 
processings performed by the SAM units 9a and 9b based on 
10 the results of the mutual authentication explained by 
using FIG. 21 and FIG. 22. 

FIG. 23 is a view for explaining the processings of 
the SAM units 9a and 9b. 

Step ST71: 

15 The CPUs 65 of the SAM units 9a and 9b shown in FIG. 

8 judge whether or not the authentication unit 64 
authenticated that the authenticating means was 
legitimate at step ST66 shown in FIG. 22. When deciding 
it as legitimate, they proceed to the processing of step 

20 ST72, while when deciding it is not, end the processing 
(that is, judge that the authenticating means does not 
have any right relating to the processing and do not 
execute the processing) . 
Step ST72: 

25 The CPUs 65 of the SAM units 9a and 9b execute the 
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processings relating to the mutual authentication key 
data specified at step ST54 shown in FIG. 21. Due to this, 
the predetermined service required by the means to be 
authenticated is provided. Namely, the SAM units 9a and 
5 9b judge that the means to be authenticated has the 

predetermined right and execute the processing authorized 
for the right. 

Below, an explanation will be given of the screens 
used for issuing various types of cards in relation to 
10 the management device 20 explained by using FIG. 2 and 
FIG. 4. 

When the manager etc. operates the operation unit 
5'6 shown in FIG. 2 to instruct display of the operation 
screen of the management tool 52, for example, as shown 
15 in FIG. 24, a SAM management screen 750 is displayed on 
the display 54 . 

The SAM management screen 750 displays an image 751 
for instructing the preparation of a management tool use 
card at the tool bar. 
20 Further, the SAM management screen 750 displays an 

image 752 indicating the network configuration of the SAM 
connected to the SAM network. 

When the user designates the screen 751 on the SAM 
management screen 750 by for example a mouse of the 
25 operation unit 56, an image 753 is displayed. 
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As the image 753, images indicating the preparation 
of the owner card, the preparation of the user card, the 
preparation of the AP encryption card, and the 
preparation of the transport card are displayed. 
5 Below, an explanation will be given of a screen for 

when instructing preparation of the cards indicated in 
the image 751. 

First, an explanation will be given of the screen 
for preparing an owner card. 

10 When the manager instructs the preparation of an 

owner card on the image 751 shown in FIG. 24 by a mouse, 
the card management function unit 58 shown in FIG. 2 
displays an owner card preparation screen 7 60 shown in 
FIG. 25 on the display 54. 

15 The owner card preparation screen 760 displays a 

used service selection image 761, a service AP memory- 
area designation image 762, a system AP area designation 
image 763, a device/termination key designation image 764, 
and a designation decision instruction image 765. 

20 The used service selection image 761 is an image 

for selecting for example the content of the service 
authorized to the owner card 72 to be prepared. 

The service AP memory area designation image 762 is 
an image for selecting the format authorized for access 

25 to the service AP memory area using the owner card 72 to 
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be prepared. 

The system AP memory area designation image 763 is 
an image for selecting the format authorized for access 
to the system AP memory area using the owner card 72 to 
be prepared. 

The device/ termination key designation image 764 is 
an image for designating the device key data and the 
termination key data used for preparing the owner card 72 

The designation decision instruction image 7 65 is 
an image for inputting instructions for deciding the 
designated content . 

When finishing designation of required items on the 
owner card preparation screen 7 60, the manager designates 
the designation decision instruction image 765 by the 
mouse etc. 

Due to this, the card set instruction screen 760 
shown in FIG. 26 is displayed on the display 54. 

When preparing an owner card 72 , the card set 
instruction screen 770 instructs to set the default card 
71. 

Then, the manager makes the card reader/writer 53 
read the data of the IC of the default card 71. 

When confirming the legitimacy of the default card 
71, the SAM management function unit 57 selects the 
mutual authentication key data related to the service etc 
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selected by the manager on the owner card preparation 
screen 760. The selection corresponds to the selection of 
step ST12 explained by using FIG. 12. 

Next, an explanation will be given of the screen 
5 for preparation of a user card. 

When the manager instructs the preparation of a 
user card on the screen 751 shown in FIG. 24 by the mouse, 
the card management function unit 58 shown in FIG. 2 
displays the user card preparation screen 780 shown in 
10 FIG. 27 on the display 54. 

The user card preparation screen 780 displays a 
used service selection image 781, a service AP memory 
area designation image 782, a system AP area designation 
image 783, a device/termination key designation image 784, 
15 and a designation decision instruction image 785. 

The used service selection image 781 is an image 
for selecting the content of the service authorized to 
the prepared user card 73. 

The service AP memory area designation image 782 is 
20 an image for selecting the format authorized for access 
to the service AP memory area using the prepared user 
card 73. 

The system AP memory area designation image 783 is 
an image for selecting the format authorized for access 
25 to the system AP memory area using the prepared user card 
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73. 

The device /termination key designation image 784 is 
an image for designating the device key data and the 
termination key data used for preparing the user card 73. 
5 The designation decision instruction image 785 is 

an image for inputting instructions for deciding the 
designated content. 

When finishing designating the required items on 
the owner card preparation screen 780, the manager 
10 designates the designation decision instruction image 785 
by the mouse etc. 

Due to this, the card set instruction screen 770 
shown in FIG. 26 is displayed on the display 54. 

When preparing an owner card 73, the card set 
15 instruction screen 770 instructs to set the owner card 72. 

Then, the manager makes the card reader/writer 53 
read the data of the IC of the owner card 72. 

When confirming the legitimacy of the owner card 72, 
the SAM management function unit 57 selects the mutual 
20 authentication key data related to the service etc. 

selected by the manager on the user card preparation 
screen 780. The selection corresponds to the selection of 
step ST12 explained by using FIG. 12. 

Next, an explanation will be given of the screen 
25 for preparation of an AP encryption card. 
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When the manager instructs the preparation of an AP 
encryption card on the image 751 shown in FIG. 24 by the 
mouse, the card management function unit 58 shown in FIG. 
2 displays the AP encryption card preparation screen 790 
5 shown in FIG. 28 on the display 54. 

The AP encryption card preparation screen 7 90 
displays a used service selection image 791, a service AP 
memory area designation image 792, a system AP area 
designation image 793, a device/ termination key 
10 designation image 794, and a designation decision 
instruction image 795. 

The used service selection image 791 is an image 
for selecting the content of the service authorized to 
for example the prepared AP encryption card 75. 
15 The service AP memory area designation image 792 is 

an image for selecting the format authorized for access 
to the service AP memory area using the prepared AP 
encryption card 75 . 

The system AP memory area designation image 793 is 
20 an image for selecting the format for access to the 

system AP memory area using the prepared AP encryption 
card 75 . 

The device/ termination key designation image 794 is 
an image for designating the device key data and the 
25 termination key data used for preparing the AP encryption 
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card 75. 

The designation decision instruction image 795 is 
an image for inputting instructions for deciding the 
designated content . 
5 When finishing designating the required items on 

the AP encryption card preparation screen 790, the 
manager designates the designation decision instruction 
image 795 by the mouse etc. 

Due to this, the card set instruction screen 770 
10 shown in FIG. 26 is displayed on the display 54. 

When preparing the AP encryption card 75, the card 
set instruction screen 770 instructs for example to set 
the owner card 72 . 

Then, the manager makes the card reader/writer 53 
15- read the data of the IC of the owner card 72. 

When confirming the legitimacy of the owner card 72, 
the SAM management function unit 57 selects the mutual 
authentication key data related to the service etc. 
selected by the manager on the AP encryption card 
20 preparation screen 790. The selection corresponds to the 
selection of step ST12 explained by using FIG. 12. 

Next, an explanation will be given of the screen 
for preparation of a transport card. 

When the manager instructs the preparation of a 
25 transport card on the image 751 shown in FIG. 24, the 
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card management function unit 58 shown in FIG. 2 displays 
the transport card preparation screen 800 shown in FIG. 
29 on the display 54. 

The transport card preparation screen 800 displays 
5 an image for instructing the IP address of the SAM 
authorized for coverage of transport of data, the AP 
memory area, the APE type of the application element data 
APE, the instance number, and the version number. 

The card management function unit 58 degrades the 

10 mutual authentication key data related to the data for 

which access is authorized in the memory areas of the SAM 
units 9a and 9b based on the information designated on 
the transport card preparation screen 800 to' generate the 
synthetic key data and writes this into the transport 

15 card 74. 

As explained above, by the manager etc. selecting 
functions and issuing various types of cards based on the 
screen functionally showing processings etc. provided by 
the SAM units 9a and 9b, the manager can issue cards 

20 having the rights matching its own intent without 
concretely indicating to the manager the mutual 
authentication key data etc. actually used in the 
processing. Due to this, leakage of information relating 
to the security of the SAM units 9a and 9b can be avoided. 

25 Below, an explanation will be given of a SAM 
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management screen provided by the SAM management function 
unit 57 of the management tool 52 shown in FIG. 2. 

FIG. 30 is a view for explaining a SAM management 
screen 1001. 

5 When the manager etc. operates the operation unit 

56 shown in FIG. 2 to request the authentication of a SAM 
management screen display instruction to the management 
tool 52, for example the SAM management screen 1001 shown 
in FIG. 30 is displayed on the display 54. 

10 As shown in FIG. 30, the SAM management screen 1001 

has a menu bar 1002, a SAM tree area 1003, an attribute 
information display area 1004, a detailed information 
display area 1005, and a console area 1006. 

The menu^bar 1002 is used for designating various 

15 operations of the card management function unit 58 shown 
in FIG. 2. 

The operations include file operations, SAM command 
operations, management tool use card operations, console 
log operations , and help operations . 
20 The SAM tree area 1003 displays the SAMs (SAM units 

9a and 9b) operated by the SAM management function unit 

57 and the group to which the SAMs belong. 

The user selects the SAM covered by the operation 
on the SAM tree area 1003. 
25 The attribute information display area 1004 
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displays the information of the SAM and the group 
selected by the SAM tree area 1003. 

The detail information display area 1005 displays a 
list of various information in the SAM selected by the 
5 SAM tree area 1003 or group. 

The console area 1006 displays the information and 
results of various operations on the SAM. 

FIG. 31 is a view for explaining a screen showing 
an example of the display content of the SAM tree area 
10 1003. 

As shown in FIG. 31, the SAM tree area 1003 
displays various icons indicating the SAMs operated by 
the SAM management function unit 57 and the groups to 
which the SAMs belong etc. 

15 FIG. 32 is a view for explaining icons displayed in 

the SAM tree area 1003. 

As shown in FIG. 32, the icons displayed in the SAM 
tree area 1003 include ones indicating objects and data 
such as icons of the SAM network, groups (sets of SAMs) , 

20 SAMs (one SAM), AP memory areas, APE types, and instances. 

Further, the icons indicating the states of a SAM 
include icons such as "STANDBY" indicating that the SAM 
is in a state where the service is not started, "READY" 
indicating that the SAM is in the usual state, "READY" 

25 indicating the connection state finished the mutual 
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authentication, "SINGLE CONNECTION WAIT" indicating that 
the completion of* another connection is being awaited, 
and "SINGLE CONNECTION " indicating that only the 
management tool 52 is connected. 
5 In this way, the SAM tree area 1003 displays images 

corresponding to SAMs using a plurality of different 
patterns in accordance with the operating states of the 
SAMs . 

Due to this, the user can easily specify the state 
10 of a SAM. 

Further, the SAM tree area 1003 displays images 
corresponding to a SAM by a pattern enabling 
identification as to whether or not the SAM has finished 
the mutual authentication, that is, has already confirmed 
15 the legitimacy of the means to be authenticated, so the 
user can easily specify whether or not each SAM ends the 
mutual authentication . 

FIG. 33 is a view for explaining a SAM network 
screen 1010. 

20 When the user designates the icon of the SAM 

network by the mouse etc. on the SAM tree area 1003 shown 
in FIG. 31, the SAM network screen 1010 shown in FIG. 33 
is displayed on the display 54. 

The SAM network screen 1010 displays the IP 

25 addresses, ports, and states of the SAMs connected to the 
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SAM network and information regarding the groups, 

FIG. 34 is a view for explaining a group screen 

1020. 

When the user designates the icon of a group by the 
5 mouse etc. on the SAM tree area 1003 shown in FIG. 31, 
the group screen 1020 shown in FIG. 34 is displayed on 
the display 54 . 

The group screen 1020 displays information 
regarding the IP addresses, ports, and states of the SAMs 
10 belonging to the designated group. 

FIG. 35 is a view for explaining a SAM screen 1030. 
When the user designates the icon of a SAM by the 
mouse etc. on the SAM tree area 1003 shown in FIG. 31, 
the SAM screen 1030 shown in FIG. 35 is displayed on the 
15 display 54 . 

The SAM screen 1030 displays information regarding 
the IDs of the AP memory areas of the designated SAM and 
the purposes of the AP memory areas . 

FIG. 36 is a view for explaining an AP memory area 
20 screen 1040. 

When the user designates the icon of an AP memory 
area by the mouse etc. on the SAM tree area 1003 shown in 
FIG. 31, the AP memory area screen 1040 shown in FIG. 36 
is displayed on the display 54. 
25 The AP memory area screen 104 0 displays the numbers 
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of the APE types of the designated AP memory area and 
information regarding the types of the APE types. 

FIG. 37 is a view for explaining an APE type screen 

1050. 

5 When the user designates the icon of an APE type by 

the mouse etc. on the SAM tree area 1003 shown in FIG. 31, 
the APE type screen 1050 shown in FIG. 37 is displayed on 
the display 54. 

The APE type screen 1050 displays the numbers of 
10 the instances and the information regarding the system 
codes, area/service codes, etc. comprised using the 
designated APE type. 

FIG. 38 is a view for explaining an instance screen 

1080. 

15 When the user designates the icon of an instance by 

the mouse etc. on the SAM tree area 1003 shown in FIG. 31, 
the instance screen 1060 shown in FIG. 38 is displayed on 
the display 54. 

The instance screen 1060 displays information such 
20 as the operation state of the designated instance, the 

memory area, the IC service key, and the instance number. 

FIG. 39 shows a screen when designating the SAM 
command of the menu bar 1002 shown in FIG. 30. 

When the user designates the icon of a SAM command 
25 by the mouse etc. on the menu bar 1002 shown in FIG. 30, 
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the SAM command screen 1070 shown in FIG. 39 is displayed 
on the display 54. 

The SAM command screen 1070 displays text images of 
operations on the SAM such as communication management, 
5 AP memory area management, log recording, a negative list, 
manufacturer settings, etc. 

Here, when the user designates the communication 
management, text images such as acquisition of status, 
start of service, change of activation code, start of 
10 single connection, and disconnection are displayed. 

The user performs operations on the SAM by 
designating these text images . 

FIG. 40 is a view for explaining a case of 
preparing a group of the SAMs on the SAM management 
15 screen 1001 shown in FIG. 30. 

As shown in FIG. 40, when the user right clicks on 
the text image of SAM management at the SAM tree area 
1003 on the SAM management screen 1001 by the mouse etc. , 
an operation screen 1100 is displayed. 
20 The operation screen 1100 displays text images for 

instructing the preparation of a group of SAMs, addition 
of SAMs, and acquisition of newest information of SAMs. 

The user can define a group comprising a plurality 
of selected SAMs by designating the text image of 
25 preparation of a group of SAMs by the mouse etc. 
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In that case, by just issuing from the SAM 
management function unit 57 an instruction for outputting 
key designation data to a group, the key designation data 
is collectively provided to all SAMs (SAM units 9a and 
5 9b) belonging to the group. 

Further, in response to an instruction from the SAM 
management function unit 57, all SAMs belonging to the 
group can be made to collectively perform the processing 
related to the mutual authentication key data 
10 corresponding to the synthetic key data held by the SAM 
management function unit 57. 

Below, an explanation will be given of the AP 
memory area editor provided by the AP edit tool 51 shown 
in FIG. 2. 

15 FIG. 41 is a view for explaining an AP memory area 

editor screen 1200 . 

As shown in FIG. 41, the AP memory area editor 
screen 1200 displays the APE types and instance numbers 
of the application element data APE stored in the AP 
20 memory area covered by the editing. 

Further, the AP memory area editor screen 1200 
displays an icon 1210 indicating addition, an icon 1220 
indicating deletion, and an icon 1230 indicating editing. 

When the user designates the icon 1210 by the mouse 
25 etc. , processing for addition of an instance to the AP 
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memory area is carried out. 

Further, when designating the icon 1220, processing 
for deletion of an instance stored in the AP memory area 
is carried out. 

5 Further, when designating the icon 1230, processing 

for editing an instance stored in the AP memory area is 
carried out. 

FIG. 42 is a view for explaining a screen 1300 for 
performing the addition of the package of the application 
10 element data APE . 

The screen 1300 includes a field 1301 for 
designating whether to prepare an element or add a 
version, a field 1302 for selecting the APE type, and a 
field 1303 for designating the instance number. 
15 The user inputs information concerning the package 

to be added to the fields 1301, 1302, and 1303. 

Due to this, the AP edit tool 51 automatically 
performs the processing for addition of the element 
package . 

20 FIG. 43 is a view for explaining a screen 1400 for 

preparing the application element data APE . 

When inputting the predetermined information on the 
screen 1300 shown in FIG. 42 and designating the screen 
1304, the APE preparation screen 1400 shown in FIG. 43 is 

25 displayed. 
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The APE preparation screen 1400 displays the type 
of the application element data APE to be prepared and 
the number of the instance thereof. 

Further, the APE preparation screen 1400 displays a 
5 field 1401 for designating a tag, a field 1402 for 

designating the number of used versions, a field 1403 for 
designating whether element acquisition is possible, a 
field 1404 for designating whether automatic generation 
of the data is possible, and a field 1405 for designating 
10 deletion of an element. 

Further, it displays a field 1406 for designating 
the names and values of attribute information etc. such 
as various mutual authentication key data related to the 
application element data APE covered by the preparation. 
15 FIG. 44 is a view for explaining a screen 1500 for 

adding a version of the application element data APE. 

When designating addition of a version in the field 
1301, inputting the predetermined information, and 
designating the image 1304 on the screen 1300 shown in 
20 FIG. 42, the APE version addition screen 1500 shown in 
FIG. 44 is displayed. 

The APE version addition screen 1500 displays the 
type of the application element data APE covered by the 
preparation and the number of the instance thereof. 
25 Further, the APE version addition screen 1500 
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displays a field 1501 for designating the element version, 
a field 1502 for designating the key data input method, 
and a field 1503 for designating the item name and value 
of the element data. 
5 When using the screens shown in FIG. 42 to FIG. 44 

to prepare the application element data APE and add a 
version, as shown in FIG. 45, the AP memory area editor 
screen 1200 displays the information concerning the 
prepared and added application element data APE in the 

10 field 1240. 

As explained above, the management device 20, as 
explained by using FIG. 12 and FIG. 16 etc. , uses a 
plurality of mutual authentication key data related to 
the processings relating to the SAM units 9a and 9b the 

15 degradation processing to generate the synthetic key data. 
Then, the synthetic key data and the key 
designation data for specifying the mutual authentication 
key data used for generating that are written in the 
owner card 72 and the user card 73. 

20 Further, by performing the mutual authentication 

shown using FIG. 21 to FIG. 23 between the management 
device 20 using the owner card 72 etc. and the SAM units 
9a and 9b, the SAM unit 9a generates the synthetic key 
data based on the key designation data received from the 

25 management device 20. When the synthetic key data 
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coincides with that held by the management device 20, it 
can confirm the legitimacy of the management device 20 
serving as the means to be authenticated. 

Further, together with the confirmation, the 
5 processing related to the mutual authentication key data 
designated by the key designation data can be judged as 
processing authorized to the management device 20. 

Due to this, the SAM units 9a and 9b serving as the 
authenticating means do not have to hold the mutual 
10 authentication key data corresponding to all means to be 
authenticated (for example the management device 20 etc. 
using the owner card 72 and the user card 73) as in the 
conventional case and, in addition, do not have to manage 
the processing authorized to the means to be 
15 authenticated in the management table either, so the 
processing load" is reduced. 

The present invention is not limited to the above 
embodiment . 

In the present invention, it is also possible to 
20 store bio-information of the user of the card in the IC 

of any of for example the owner card 72, the user card 73, 
the transport card 74 , and the AP encryption card 75 and 
have the SAM units 9a and 9b further use the bio- 
information stored in the card together with the mutual 
25 authentication so as to authenticate the legitimacy of 
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the user . 

For example, in the above embodiment, the case 
where the SAM units 9a and 9b performed the mutual 
authentication with the management device 20 was 
5 exemplified, but it is also possible if the SAM units 9a 
and 9b perform the authentication with means to be 
authenticated such as the ASP server apparatuses 19a and 
19b or another SAM unit. In this case, the means to be 
authenticated holds the synthetic key data and the key 
10 designation data. 

Further, in the embodiment, the case where the 
owner card 72 and the user card 73 held the synthetic key 
data and the key designation data was exemplified, but it 
is also possible to make another mobile device etc. hold 
15 these data. 

INDUSTRIAL CAPABILITY 

The present invention can be applied to a data 
processing method for performing predetermined processing 
based on authentication results, its program, and its 
20 device. 
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